Around eight months ago Microsoft released a fix for its vulnerable Microsoft exchange servers.
At the time the risk revolved around a bug that allowed authenticated attackers to execute code remotely (RCE).
The vulnerability (CVE-2020-0688) is in the control panel of Exchange, Microsoft’s mail server and calendaring server.
The bug, which stems from the server failing to properly create unique keys at install time, was fixed as part of Microsoft’s February Patch Tuesday updates – and last March users were warned that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors.
Microsoft Exchange – Still not enough adopters
However, according to Rapid7‘s telemetry found that 61 percent of Exchange 2010, 2013, 2016 and 2019 servers (out of 433,464) are still vulnerable to the CVE.
Obliviously these numbers are not official as Tom Sellers from Rapid7 explained “I want to point out that our numbers here will be fairly accurate, but not perfect. This is due to a couple of factors: First, the method that we use to fingerprint Exchange OWA allows us to determine the Exchange version down to <major version>.<minor version>.<build number>, but we cannot see the revision. For example, for Exchange Server 2019 Cumulative Update (CU) 7, with the latest updates the build number is 15.2.721.2, but we only see 15.2.721. This means that we can tell that the server is running 2019 CU7, but we can’t be sure whether this month’s patches were installed. Second, and most frustrating, is that Microsoft’s updates don’t always adjust the version number shown by tooling. Even Microsoft’s own Exchange Admin Center and Get-ExchangeServer command will report incorrect versions in many instances.”
Still they are a clear indicator of a potential problem, as researchers warned in a March advisory that unpatched servers are being exploited in the wild by unnamed APT actors.
Rapid7 guide to Taking action
Still, as this is a patching problem, companies should be able to take quick action to close this vulnerability.
But as a comprensive guide to remediation we are just going to refer to the experts, as reported below with this advice:
- Organizations using Exchange 2010 or earlier should aggressively pursue upgrading their environment to supported technologies.
- Organizations using Exchange 2013 should ensure they have a plan and timeline for upgrading to supported technologies by April 11, 2023. Remember that the most modern version of Windows Server that 2013 supports is also going EoS that year, so the process may introduce new server OSes into the environment as well.
- Organizations using Exchange 2016 or on-premises 2019 should ensure their Exchange environment is currently up-to-date and that there is a plan and process for keeping it updated.
- Organizations using Exchange hosted by a non-Microsoft vendor should ensure the vendor has a plan and process for keeping the software up-to-date. They should also verify this is being done and hold the vendor accountable if not.
- Leverage vulnerability management tools and other types of tools to detect when Exchange environments are missing updates. They will be particularly helpful when Exchange version numbers cannot be reliably determined.